FD1094

From Sega Retro

This article needs cleanup.This article needs to be edited to conform to a higher standard of article quality. After the article has been cleaned up, you may remove this message. For help, see the How to Edit a Page article.

FD1094

The FD1094 (also labeled FD1089; the differences are unknown) is a MC68000 clone manufactured by Hitachi for use in Segaarcade games. The FD1094 is one of the earliest(?) and most infamous examples of a battery being used in a copy protection chip.

In the FD1094, opcodes and opcode data are encrypted individually, and regular opcodes and opcodes in interrupt vectors are also encrypted differently. The encryption is done using battery-backed SRAM stored within the chip — the lowest RAM locations are used for decryption, while the rest store the encryption key. There is no protection from opening the chip; merely removing the battery or letting it die will kill the SRAM contents, rendering the game unbootable.

There are multiple possible encryption modes freely selectable by the game; they are selected with the opcode

cmpi.l #$00xxFFFF,d0

where xx is the encryption state.

In addition, the chip disables the pc-relative addressing modes (d16(pc) and d8(pc,xN.w/.l)). According to the MAME source, the pc-relative modes would make it easier to dump the unencrypted data somehow (TODO).

It is possible for someone who owns a FD1094-based game to replace the battery, and several decrypted versions of games exist. As decryption is determined during program execution, it is difficult to decrypt games without analyzing the code.